About Advanced Access Control Settings for Network Analysis and Intrusion Policies

Many of the advanced settings in an access control
policy govern intrusion detection and prevention configurations that require
specific expertise to configure. Advanced settings typically require little or
no modification and are not common to every deployment.

The Default
Intrusion Policy

Each access control policy uses its
default intrusion policy to initially inspect traffic before
the system can determine exactly how to inspect that traffic. This is needed
because sometimes the system must process the first few packets in a
connection,
allowing them to pass, before it can decide which access
control rule (if any) will handle the traffic. However, so that these packets
do not reach their destination uninspected, you can use an intrusion
policy—called the default intrusion policy—to inspect them and generate
intrusion events. By default, the default intrusion policy uses the default
variable set.

A default intrusion policy is especially useful when performing
application control and URL filtering, because the system cannot identify
applications or filter URLs before a connection is fully established between
the client and the server. For example, if a packet matches all the other
conditions in an access control rule with an application or URL condition, it
and subsequent packets are allowed to pass until the connection is established
and application or URL identification is complete, usually 3 to 5 packets.

The system inspects these allowed packets with the default
intrusion policy, which can generate events and, if placed inline, block
malicious traffic. After the system identifies the access control rule or
default action that should handle the connection, the remaining packets in the
connection are handled and inspected accordingly.

When you create an access control policy, its default intrusion
policy depends on the default action you
first chose. Initial default intrusion policies for access
control are as follows:

Balanced Security and Connectivity (a system-provided policy) is
the default intrusion policy for an access control policy where you first chose
the
Intrusion Prevention default action.

No Rules Active is the default intrusion policy for an access
control policy where you first chose the
Block all traffic or
Network Discovery default action. Although choosing
this option disables intrusion inspection on the allowed packets described
above, it can improve performance if you are not interested in intrusion data.

Note

If you are not performing intrusion inspection (for example, in
a discovery-only deployment), keep the No Rules Active policy as your default
intrusion policy.

If you change your default action after you create the access
control policy, the default intrusion policy does
not automatically change. To change it manually, use the
access control policy’s advanced options.

You can choose a system- or user-created policy.

Note

The network analysis policy associated with the first matching
network analysis rule preprocesses traffic for the default intrusion policy. If
there are no network analysis rules, or none match, the default network
analysis policy is used.

Setting the Default
Intrusion Policy

Smart
License

Classic
License

Supported
Devices

Supported
Domains

Access

Any

Any

Any

Any

Admin/Access Admin/Network Admin

Caution

Changing the total number of intrusion policies used by an access control policy restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic
drops during this interruption or passes without further inspection depends on how the target device handles traffic. See
Snort® Restart Traffic Behavior for more information. You change the the total number of intrusion policies by adding an intrusion policy that is not currently used, or by removing
the last instance of an intrusion policy. You can use an intrusion policy in an access control rule, as the default action,
or as the default intrusion policy.

Procedure

Step 1

In the access control policy editor, click the
Advanced tab, then click the edit icon ()
next to the Network Analysis and Intrusion Policies section.

If a view icon () appears instead, settings are inherited from an ancestor policy, or you do not have permission to modify the settings.If
the configuration is unlocked, uncheck
Inherit from base policy to enable editing.

Step 2

Select an intrusion policy from the
Intrusion Policy used before Access Control rule is
determined drop-down list.

If you choose a user-created policy, you can click an edit icon
()
to edit the policy in a new window. You cannot edit system-provided policies.

Step 3

Optionally, select a different variable set from the
Intrusion Policy Variable Set drop-down list. You
can also select the edit icon ()
next to the variable set to create and edit variable sets. If you do not change
the variable set, the system uses a default set.

Step 4

Click
OK.

Step 5

Click
Save to save the policy.

What to do next

Advanced Settings
for Network Analysis Policies

Network analysis policies govern how traffic is decoded and
preprocessed so that it can be further evaluated, especially for anomalous
traffic that might signal an intrusion attempt. This traffic preprocessing
occurs after Security Intelligence blacklisting and traffic decryption, but
before intrusion policies inspect packets in detail. By default, the
system-provided Balanced Security and Connectivity network analysis policy is
the default network analysis policy.

Tip

The system-provided Balanced Security and Connectivity network
analysis policy and the Balanced Security and Connectivity intrusion policy
work together and can both be updated in intrusion rule updates. However, the
network analysis policy governs mostly preprocessing options, whereas the
intrusion policy governs mostly intrusion rules.

A simple way to tune preprocessing is to create and use a custom
network analysis policy as the default. For advanced users with complex
deployments, you can create multiple network analysis policies, each tailored
to preprocess traffic differently. Then, you can configure the system to use
those policies to govern the preprocessing of traffic using different security
zones, networks, or VLANs.

To accomplish this, you add custom
network analysis rules to your access control policy. A
network analysis rule is simply a set of configurations and conditions that
specifies how you preprocess traffic that matches those qualifications. You
create and edit network analysis rules in the advanced options in an existing
access control policy. Each rule belongs to only one policy.

Each rule has:

a set of rule conditions that identifies the specific traffic
you want to preprocess

an associated network analysis policy that you want to use to
preprocess traffic that meets all the rules’ conditions

When it is time for the system to preprocess traffic, it matches
packets to network analysis rules in top-down order by rule number. Traffic
that does not match any network analysis rules is preprocessed by the default
network analysis policy.

Setting the Default
Network Analysis Policy

Smart
License

Classic
License

Supported
Devices

Supported
Domains

Access

Any

Any

Any

Any

Admin/Access Admin/Network Admin

You can choose a system- or user-created policy.

Note

If you disable a preprocessor but the system needs to evaluate
preprocessed packets against an enabled intrusion or preprocessor rule, the
system automatically enables and uses the preprocessor although it remains
disabled in the network analysis policy web interface. Tailoring preprocessing,
especially using multiple custom network analysis policies, is an
advanced task. Because preprocessing and intrusion
inspection are so closely related, you
must be careful that you allow the network analysis and
intrusion policies examining a single packet to complement each other.

Procedure

Step 1

In the access control policy editor, click the
Advanced tab, then click the edit icon ()
next to the Network Analysis and Intrusion Policies section.

If a view icon () appears instead, settings are inherited from an ancestor policy, or you do not have permission to modify the settings.If
the configuration is unlocked, uncheck
Inherit from base policy to enable editing.

If you choose a user-created policy, you can click an edit icon
()
to edit the policy in a new window. You cannot edit system-provided policies.

Caution

Changing the total number of network analysis policies used by an access control policy restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic
drops during this interruption or passes without further inspection depends on how the target device handles traffic. See
Snort® Restart Traffic Behavior for more information.You change the total number of network analysis policies by adding a policy that is not currently used, or by removing the
last instance of a network analysis policy. You can use a network analysis policy with network analysis rules or as the default
network analysis policy.

What to do next

Network Analysis
Rules

Within your access control policy’s advanced settings, you can
use network analysis rules to tailor preprocessing configurations to network
traffic.

Network analysis rules are numbered, starting at 1. When it is
time for the system to preprocess traffic, it matches packets to network
analysis rules in top-down order by ascending rule number, and preprocesses
traffic according to the first rule where all the rule’s conditions match.

You can add zone, network, and VLAN tag conditions to a rule. If
you do not configure a particular condition for a rule, the system does not
match traffic based on that criterion. For example, a rule with a network
condition but no zone condition evaluates traffic based on its source or
destination IP address, regardless of its ingress or egress interface. Traffic
that does not match any network analysis rules is preprocessed by the default
network analysis policy.

Configuring Network Analysis Rules

Procedure

Step 1

In the access control policy editor, click the
Advanced tab, then click the edit icon ()
next to the Network Analysis and Intrusion Policies section.

If a view icon () appears instead, settings are inherited from an ancestor policy, or you do not have permission to modify the settings.If
the configuration is unlocked, uncheck
Inherit from base policy to enable editing.

Next to
Network Analysis Rules, click the statement that
indicates how many custom rules you have.

Step 3

Click
Add Rule.

Step 4

Configure the rule's conditions by clicking the tabs corresponding to the
conditions you want to add; see Rule Condition Types.

Step 5

Click the
Network Analysis tab and choose the Network Analysis Policy you want to use to preprocess the
traffic matching this rule.

Click the edit icon
() to edit a custom policy in a new
window. You cannot edit system-provided policies.

Caution

Changing the total number of network analysis policies used by an access control policy restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Whether traffic
drops during this interruption or passes without further inspection depends on how the target device handles traffic. See
Snort® Restart Traffic Behavior for more information.You change the total number of network analysis policies by adding a policy that is not currently used, or by removing the
last instance of a network analysis policy. You can use a network analysis policy with network analysis rules or as the default
network analysis policy.

What to do next

Managing Network
Analysis Rules

Smart
License

Classic
License

Supported
Devices

Supported
Domains

Access

Any

Any

Any

Any

Admin/Access Admin/Network Admin

A network analysis rule is simply a set of configurations and
conditions that specifies how you preprocess traffic that matches those
qualifications. You create and edit network analysis rules in the advanced
options in an existing access control policy. Each rule belongs to only one
policy.

Procedure

Step 1

In the access control policy editor, click the
Advanced tab, then click the edit icon ()
next to the Intrusion and Network Analysis Policies section.

If a view icon () appears instead, settings are inherited from an ancestor policy, or you do not have permission to modify the settings.If
the configuration is unlocked, uncheck
Inherit from base policy to enable editing.

Step 2

Next to
Network Analysis Rules, click the statement that
indicates how many custom rules you have.

Step 3

Edit your custom rules. You have the following options:

To edit a rule’s conditions, or change the network analysis
policy invoked by the rule, click the edit icon ()
next to the rule.

To change a rule’s order of evaluation, click and drag the rule
to the correct location. To select multiple rules, use the Shift and Ctrl keys.

To delete a rule, click the delete icon ()
next to the rule.

Tip

Right-clicking a rule displays a context menu that allows you to
cut, copy, paste, edit, delete, and add new network analysis rules.